<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Encrypting communications in an Elasticsearch Docker Container | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'configuring-tls-docker.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/configuring-tls-docker.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/configuring-tls-docker.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/configuring-tls-docker.html" rel="nofollow" target="_blank">../en/configuring-tls-docker.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="encrypting-communications.html">Encrypting communications</a></span>
»
<span class="breadcrumb-node">Encrypting communications in an Elasticsearch Docker Container</span>
</div>
<div class="navheader">
<span class="prev">
<a href="configuring-tls.html">« Encrypting communications in Elasticsearch</a>
</span>
<span class="next">
<a href="ciphers.html">Enabling cipher suites for stronger encryption »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="configuring-tls-docker"></a>Encrypting communications in an Elasticsearch Docker Container<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Unless you are using a trial license, Elastic Stack security features require
SSL/TLS encryption for the transport networking layer.</p>
<p>This section demonstrates an easy path to get started with SSL/TLS for both
HTTPS and transport using the Elasticsearch Docker image. The example uses
Docker Compose to manage the containers.</p>
<p>For further details, see
<a class="xref" href="encrypting-communications.html" title="Encrypting communications"><em>Encrypting communications</em></a> and
<a href="https://www.elastic.co/subscriptions" class="ulink" target="_top">available subscriptions</a>.</p>
<h4>
<a id="_prepare_the_environment"></a>Prepare the environment<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc">edit</a>
</h4>
<p><a class="xref" href="docker.html" title="Install Elasticsearch with Docker">Install Elasticsearch with Docker</a>.</p>
<p>Inside a new, empty directory, create the following four files:</p>
<p><code class="literal">instances.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">instances:
  - name: es01
    dns:
      - es01 <a id="CO490-1"></a><i class="conum" data-value="1"></i>
      - localhost
    ip:
      - 127.0.0.1

  - name: es02
    dns:
      - es02
      - localhost
    ip:
      - 127.0.0.1</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO490-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>Allow use of embedded Docker DNS server names.</p>
</td>
</tr>
</table>
</div>
<p><code class="literal">.env</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">COMPOSE_PROJECT_NAME=es <a id="CO491-1"></a><i class="conum" data-value="1"></i>
CERTS_DIR=/usr/share/elasticsearch/config/certificates <a id="CO491-2"></a><i class="conum" data-value="2"></i>
ELASTIC_PASSWORD=PleaseChangeMe <a id="CO491-3"></a><i class="conum" data-value="3"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO491-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>Use an <code class="literal">es_</code> prefix for all volumes and networks created by docker-compose.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO491-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The path, inside the Docker image, where certificates are expected to be found.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO491-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>Initial password for the <code class="literal">elastic</code> user.</p>
</td>
</tr>
</table>
</div>
<p><a id="getting-starter-tls-create-certs-composefile"></a><code class="literal">create-certs.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">version: '2.2'

services:
  create_certs:
    container_name: create_certs
    image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1
    command: &gt;
      bash -c '
        if [[ ! -f /certs/bundle.zip ]]; then
          bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;
          unzip /certs/bundle.zip -d /certs; <a id="CO492-1"></a><i class="conum" data-value="1"></i>
        fi;
        chown -R 1000:0 /certs
      '
    user: "0"
    working_dir: /usr/share/elasticsearch
    volumes: ['certs:/certs', '.:/usr/share/elasticsearch/config/certificates']

volumes: {"certs"}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO492-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The new node certificates and CA certificate+key are placed in a docker volume <code class="literal">es_certs</code>.</p>
</td>
</tr>
</table>
</div>
<p><a id="getting-starter-tls-create-docker-compose"></a><code class="literal">docker-compose.yml</code>:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">version: '2.2'

services:
  es01:
    container_name: es01
    image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1
    environment:
      - node.name=es01
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01,es02
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD <a id="CO493-1"></a><i class="conum" data-value="1"></i>
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial <a id="CO493-2"></a><i class="conum" data-value="2"></i>
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es01/es01.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate <a id="CO493-3"></a><i class="conum" data-value="3"></i>
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es01/es01.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es01/es01.key
    volumes: ['data01:/usr/share/elasticsearch/data', 'certs:$CERTS_DIR']
    ports:
      - 9200:9200
    healthcheck:
      test: curl --cacert $CERTS_DIR/ca/ca.crt -s https://localhost:9200 &gt;/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5

  es02:
    container_name: es02
    image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1
    environment:
      - node.name=es02
      - discovery.seed_hosts=es01,es02
      - cluster.initial_master_nodes=es01,es02
      - ELASTIC_PASSWORD=$ELASTIC_PASSWORD
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=trial
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=$CERTS_DIR/es02/es02.key
      - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.http.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate <a id="CO493-4"></a><i class="conum" data-value="3"></i>
      - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt
      - xpack.security.transport.ssl.certificate=$CERTS_DIR/es02/es02.crt
      - xpack.security.transport.ssl.key=$CERTS_DIR/es02/es02.key
    volumes: ['data02:/usr/share/elasticsearch/data', 'certs:$CERTS_DIR']

  wait_until_ready:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.7.1
    command: /usr/bin/true
    depends_on: {"es01": {"condition": "service_healthy"}}

volumes: {"data01", "data02", "certs"}</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO493-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>Bootstrap <code class="literal">elastic</code> with the password defined in <code class="literal">.env</code>. See
<a class="xref" href="built-in-users.html#bootstrap-elastic-passwords" title="The Elastic bootstrap password">The Elastic bootstrap password</a>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO493-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>Automatically generate and apply a trial subscription, in order to enable
security features.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO493-3"><i class="conum" data-value="3"></i></a><a href="#CO493-4"></a></p>
</td>
<td align="left" valign="top">
<p>Disable verification of authenticity for inter-node communication. Allows
creating self-signed certificates without having to pin specific internal IP addresses.</p>
</td>
</tr>
</table>
</div>
<h4>
<a id="_run_the_example"></a>Run the example<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc">edit</a>
</h4>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Generate the certificates (only needed once):</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">docker-compose -f create-certs.yml run --rm create_certs</pre>
</div>
</li>
<li class="listitem">
<p>Start two Elasticsearch nodes configured for SSL/TLS:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">docker-compose up -d</pre>
</div>
</li>
<li class="listitem">
<p>Access the Elasticsearch API over SSL/TLS using the bootstrapped password:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">docker run --rm -v es_certs:/certs --network=es_default docker.elastic.co/elasticsearch/elasticsearch:7.7.1 curl --cacert /certs/ca/ca.crt -u elastic:PleaseChangeMe https://es01:9200</pre>
</div>
</li>
<li class="listitem">
<p>The <code class="literal">elasticsearch-setup-passwords</code> tool can also be used to generate random
passwords for all users:</p>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>Windows users not running PowerShell will need to remove <code class="literal">\</code> and join lines in the snippet below.</p>
</div>
</div>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">docker exec es01 /bin/bash -c "bin/elasticsearch-setup-passwords \
auto --batch \
--url https://localhost:9200"</pre>
</div>
</li>
</ol>
</div>
<h4>
<a id="_tear_everything_down"></a>Tear everything down<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/configuring-tls-docker.asciidoc">edit</a>
</h4>
<p>To remove all the Docker resources created by the example, issue:</p>
<div class="pre_wrapper lang-sh">
<pre class="programlisting prettyprint lang-sh">docker-compose down -v</pre>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="configuring-tls.html">« Encrypting communications in Elasticsearch</a>
</span>
<span class="next">
<a href="ciphers.html">Enabling cipher suites for stronger encryption »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>